Several security related problems have been discovered in osh, theoperator's shell for executing defined programs in a privilegedenvironment. The Common Vulnerabilities and Exposures projectidentifies the following vulnerabilities:

CVE-2005-3347

Charles Stevenson discovered a bug in the substitution of variables that allows a local attacker to open a root shell.

CVE-2005-3533

Solar Eclipse discovered a buffer overflow caused by the current working directory plus a filename that could be used to execute arbitrary code and e.g. open a root shell.

For the old stable distribution (woody) these problems have been fixed inversion 1.7-11woody2.

For the stable distribution (sarge) these problems have been fixed inversion 1.7-13sarge1.

For the unstable distribution (sid) these problems have been fixed inversion 1.7-15, however, the package has been removed entirely.

We recommend that you upgrade your osh package.

Upgrade Instructions- --------------------

wget url will fetch the file for youdpkg -i file.deb will install the referenced file.

If you are using the apt-get package manager, use the line forsources.list as given below: